Hyperledger Composer:: Error: The current identity must be activated (ACTIVATION_REQUIRED) - hyperledger-composer

Any one came across hyperledger composer's chaincode error like : Error: The current identity must be activated (ACTIVATION_REQUIRED)?? The identity which I am using showing ISSUED in composer-playground. But once I am using System/ping through REST server, chaincode log showing this error. I hope at the time when a participant submits a transaction using an enrollment certificate, the Composer chaincode extracts the enrollment ID from the enrollment certificate, and uses it to look up the participant instance that the identity was issued to. I issued identity through CLI and then I am using it in REST server without doing anything in CLI. I am not sure how to overcome this error. Appreciate! any help.
I updated all composer components to 0.12.2. I used the following CLI commands to issue identity:
composer participant add -p jiyababa -n 'digitalproperty-network' -i PeerAdmin -s adminpw -d '{"$class":"net.biz.digitalPropertyNetwork.Person","personId":"dcsen#abc.com","firstName":"Dul","lastName":"Sen"}'
composer identity issue -p jiyababa -n 'digitalproperty-network' -i admin -s adminpw -u dcsen1 -a "resource:net.biz.digitalPropertyNetwork.Person#dcsen#abc.com"
Still getting the same error at composer chaincode.
2017-09-17 14:56:12.599 UTC [Composer] Error -> ERRO 01e #JS : IdentityManager :getIdentity() Error: The current identity has not been registered:admin 2017-09-17 14:56:12.682 UTC [Composer] Error -> ERRO 01f #JS : IdentityManager :getIdentity() Error: The current identity has not been registered:admin 2017-09-17 15:09:58.641 UTC [Composer] Error -> ERRO 020 #JS : IdentityManager :validateIdentity() Error: The current identity must be activated (ACTIVATION_REQUIRED)
I also tried using "admin" user to add participant and issue identity but no luck: getting composer chaincode error::
Error: Unhandled promise rejection {activationRequired:true} at [anon] (/chaincode/input/src/composer/vendor/gopkg.in/olebedev/go-duktape.v3/duk_console.c:55) internal
#JS : IdentityManager :validateIdentity() Error: The current identity must be activated (ACTIVATION_REQUIRED)
But I can ACTIVATE the identity through composer CLI using the following command:
composer network ping -n digitalproperty-network -p jiyababa -i dcsen1 -s BEkeKFlLVnBL
Once I ACTIVATED through CLI, I could NOT use the identity in REST Server. That means, first transaction request from REST server not activating the identity in identity registry.

This can happen if you are using an old version of the CLI/Client Application/Rest Server trying to connect to a much newer version of the composer runtime that is deployed when you deploy the business network.
It sounds like you deployed a business network and issued identities using a newver version of the CLI, but haven't updated the Rest Server to the same version.
Information about updating can be found at
https://hyperledger.github.io/composer/managing/updating-composer.html

A temporary work around is to ACTIVATE the card yourself:
$ composer identity list -c admin#basic-sample-network
✔ List all identities in the business network
-
$class: org.hyperledger.composer.system.Identity
identityId: 8dc315997a5ad0ade3b4343c6b81ae37a3c2c7f22eddab90dd09717e7459772e
name: admin
issuer: ac3dbcbe135ba48b29f97665bb103f8260c38d3872473e584314392797c595f3
certificate:
"""
-----BEGIN CERTIFICATE-----
MIICAjCCAaigAwIBAgIUOA7RAw1TbKo2UjwkeS9YRCSFupowCgYIKoZIzj0EAwIw
czELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMT
E2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTgwODA4MDYzODAwWhcNMTkwODA4MDY0
MzAwWjAhMQ8wDQYDVQQLEwZjbGllbnQxDjAMBgNVBAMTBWFkbWluMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEeBeSqbzishSi0Q0+f0HavwPsN1240zIxuL12iWUR
U9aEO/cLusEr9fg44UUh3xzp4VQGChJ5TNRu4s/uBbuFxqNsMGowDgYDVR0PAQH/
BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFF1ZYXNpBsGXEomhlTBT9NeJ
CUqIMCsGA1UdIwQkMCKAIBmrZau7BIB9rRLkwKmqpmSecIaOOr0CF6Mi2J5H4aau
MAoGCCqGSM49BAMCA0gAMEUCIQCMuttwm6sSCjtwl8xk4FZM4PHH0F5YGxJvNUjn
SeeCCQIgAmmD9aabcY7jHttdfAZ2zNepihdRKjN1xsxy4i7KaQ4=
-----END CERTIFICATE-----
"""
state: ACTIVATED
participant: resource:org.hyperledger.composer.system.NetworkAdmin#admin
Command succeeded

Related

Unable to create Azure-keyvault-backed secret scope on Azure Databricks

I am not able to create secret scope on Azure Databricks from Databricks CLI. I run a command like this:
databricks secrets "create-scope" --scope "edap-dev-kv" --scope-backend-type AZURE_KEYVAULT --resource-id "/subscriptions/ba426b6f-65cb-xxxx-xxxx-9a1e1656xxxx/resourceGroups/edap-dev-rg/providers/Microsoft.KeyVault/vaults/edap-dev-kv" --profile profile_edap_dev2_dbx --dns-name "https://edap-dev-kv.vault.azure.net/"
I get error msg:
Error: b'<html>\n<head>\n<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>\n<title>
Error 400 io.jsonwebtoken.IncorrectClaimException:
Expected aud claim to be: 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d, but was: https://management.core.windows.net/.
</title>\n</head>\n<body><h2>HTTP ERROR 400</h2>\n<p>
Problem accessing /api/2.0/secrets/scopes/create.
Reason:\n<pre> io.jsonwebtoken.IncorrectClaimException:
Expected aud claim to be: 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d,
but was: https://management.core.windows.net/.</pre></p>\n</body>\n</html>\n'
I have tried doing it with both user (personal) and service principal's AAD token. (I've found somewhere that it it should be a AAD token of user account.)
I am able to do it with GUI using same parameters.
In your case, the personal access token was issued for incorrect service - it was issued for https://management.core.windows.net/. but it's required that you use resource ID of the Azure Databricks - 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d.
Simplest way to do that is to use az-cli with following command:
az account get-access-token -o tsv --query accessToken \
--resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d

Error starting hyperledger-composer network after Fabric and Composer version upgrade

I've come across an error starting the hyperledger-composer network that isn't answered in the composer-wiki.
✖ Starting business network definition. This may take a minute...
Error: Error trying to start business network. Error: No valid responses from any peers.
Response from attempted peer comms was an error: Error: transaction returned with failure: can't find PEM header: undefined
Command failed
Checking pre-requisites,
Fabric 1.2
Composer 0.20.4
Node 8.12.0
Docker 18.01.1
"composer network install" was successful, with file appearing in the docker peer at /var/hyperleder/production/chaincodes
After running the "composer network start" command, a "docker ps" shows new docker instance with name:
dev-peer0.org1.example.com-<<business-network-name>>-0.0.7
But any attempt to ping this results in a failure like this:
Error: Error trying to ping. Error: make sure the chaincode <<business-network-name>> has been successfully instantiated and try again: getccdata composerchannel/<<business-network-name>> responded with error: could not find chaincode with name '<<business-network-name>>'
Checking the log of the dev-peer0, it ends with the following:
2018-11-05T05:03:18.227Z [4264161f] ERROR :Composer :Init() can't find PEM header: undefined
2018-11-05T05:03:18.227Z [4264161f] VERBOSE :Composer :#PERF Init() Total (ms) duration for txnID [4264161fc30a61c70884d4c7efb460fea6a755d07bc4852875c393346795227a]: 929.00
2018-11-05T05:03:18.228Z ERROR [lib/handler.js] [composerchannel-4264161f]Calling chaincode Init() returned error response [can't find PEM header: undefined]. Sending ERROR message back to peer
The corresponding error in the peer0 log is a big larger:
2018-11-05 05:03:18.229 UTC [endorser] SimulateProposal -> ERRO 439d [composerchannel][4264161f] failed to invoke chaincode name:"lscc" , error: transaction returned with failure: can't find PEM header: undefined
github.com/hyperledger/fabric/core/chaincode.(*ChaincodeSupport).Execute
/opt/gopath/src/github.com/hyperledger/fabric/core/chaincode/chaincode_support.go:202
github.com/hyperledger/fabric/core/endorser.(*SupportImpl).Execute
/opt/gopath/src/github.com/hyperledger/fabric/core/endorser/support.go:131
github.com/hyperledger/fabric/core/endorser.(*Endorser).callChaincode
/opt/gopath/src/github.com/hyperledger/fabric/core/endorser/endorser.go:173
github.com/hyperledger/fabric/core/endorser.(*Endorser).SimulateProposal
/opt/gopath/src/github.com/hyperledger/fabric/core/endorser/endorser.go:287
github.com/hyperledger/fabric/core/endorser.(*Endorser).ProcessProposal
/opt/gopath/src/github.com/hyperledger/fabric/core/endorser/endorser.go:501
github.com/hyperledger/fabric/core/handlers/auth/filter.(*expirationCheckFilter).ProcessProposal
/opt/gopath/src/github.com/hyperledger/fabric/core/handlers/auth/filter/expiration.go:61
github.com/hyperledger/fabric/core/handlers/auth/filter.(*filter).ProcessProposal
/opt/gopath/src/github.com/hyperledger/fabric/core/handlers/auth/filter/filter.go:31
github.com/hyperledger/fabric/protos/peer._Endorser_ProcessProposal_Handler
/opt/gopath/src/github.com/hyperledger/fabric/protos/peer/peer.pb.go:112
github.com/hyperledger/fabric/vendor/google.golang.org/grpc.(*Server).processUnaryRPC
/opt/gopath/src/github.com/hyperledger/fabric/vendor/google.golang.org/grpc/server.go:923
github.com/hyperledger/fabric/vendor/google.golang.org/grpc.(*Server).handleStream
/opt/gopath/src/github.com/hyperledger/fabric/vendor/google.golang.org/grpc/server.go:1148
github.com/hyperledger/fabric/vendor/google.golang.org/grpc.(*Server).serveStreams.func1.1
/opt/gopath/src/github.com/hyperledger/fabric/vendor/google.golang.org/grpc/server.go:637
runtime.goexit
/opt/go/src/runtime/asm_amd64.s:2361
2018-11-05 05:03:18.229 UTC [endorser] SimulateProposal -> DEBU 439e [composerchannel][4264161f] Exit
Since this last worked I have updated composer from 0.19 to 0.20.4, and taken Fabric from 1.1 to 1.2.
Googling suggests that this kind of error "can't find PEM header: undefined" is associated with a change in key signing. After tearing down Fabric I re-ran ./createPeerAdminCard.sh - is there another card or similar that needs to be re-created to accomodate the latest versions?
Thanks to #R Thatcher for putting me onto the right direction. This was all down to mismatching cards, and was resolved by clearing out everything and starting again.
Specifically, in /fabric-dev-servers:
./stopFabric.sh
./teardownFabric.sh
composer card list
composer card delete -c admin#<business-network-name>
composer card delete -c PeerAdmin#hlfv1
./startFabric.sh
./createPeerAdminCard.sh
Then changing into the composer/business-network-name directory:
composer network install --card PeerAdmin#hlfv1 --archiveFile business-network-name\#0.0.7.bna
composer network start -c PeerAdmin#hlfv1 -n business-network-name -V 0.0.7 -A admin -S adminpw --file networkadmin.card
composer card import --file networkadmin.card --card admin#business-network-name
composer network ping -c admin#business-network-name
So yes, it was about mismatching cards and not cleaning these up as part of a new deployment.
Although not part of the original problem, it's also worth noting that the -A and -S parameters of the composer network start command HAD to be set to admin and adminpw respectively. See composer issue #3781.
Answering the the last remark from #Capn Sparrow
"the -A and -S parameters of the composer network start command HAD to be set to admin and adminpw respectively."
This is the correct and expected behaviour :-)
with the composer network start command the -A and -S are specifying an existing user in the CA that we want a new set of Credentials (certificate and keys) for which is then bound to a Composer System participant.
When you use the 'standard development fabric' this has a CA configured with a user called 'admin' with a secret of 'adminpw'. If you had build your own Fabric from scratch you could choose the name and secret of your first default user. Alternatively you could work with the fabric-ca client software to create additional users in the CA.

Laravel Guzzle : curl error 77 error setting certificate verify locations

OS: Ubuntu 16.04
PHP : 7.2
CURL : curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Guzzle: 6.3
My project currently is using some packages that depends on Guzzle, e.g: AWS, Mailgun...However, it often threw out this error:
error: cURL error 77: error setting certificate verify locations:
CAfile: /etc/ssl/certs
CApath: /etc/ssl/certs (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
Below is part of my php.ini
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo='/etc/ssl/certs/ca-certificates.crt'
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
openssl.cafile='/etc/ssl/certs/ca-certificates.crt'
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
openssl.capath='/etc/ssl/certs/'
None of this work, even though retrieving via ini_get() it's ok and fully recognized. For now, I have to make a workaround by modifying vendor/guzzlehttp/guzzle/src/Client.php and adjust default config to 'verify' => '/etc/ssl/certs/ca-certificates.crt' then everything's ok (which I believe not a good option)
retrieving via init_get()
array(8) {
["default_cert_file"]=> string(21) "/usr/lib/ssl/cert.pem"
["default_cert_file_env"]=> string(13) "SSL_CERT_FILE"
["default_cert_dir"]=> string(18) "/usr/lib/ssl/certs"
["default_cert_dir_env"]=> string(12) "SSL_CERT_DIR"
["default_private_dir"]=> string(20) "/usr/lib/ssl/private"
["default_default_cert_area"]=> string(12) "/usr/lib/ssl"
["ini_cafile"]=> string(34) "/etc/ssl/certs/ca-certificates.crt"
["ini_capath"]=> string(15) "/etc/ssl/certs/"
}
openssl.cafile: /etc/ssl/certs/ca-certificates.crt
curl.cainfo: /etc/ssl/certs/ca-certificates.crt
Note: I've tried setting up ~/.curlrc together with export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt but none of this work
Does anyone have any solution or any clue to solve this issue?
Relating to 'SSL certificate problem: unable to get local issuer certificate' error. Rather obviously this applies to the system sending the CURL request (and no the server receiving the request)
Download the latest cacert.pem from https://curl.haxx.se/ca/cacert.pem
Add the following line to php.ini (if this is shared hosting and you don't have access to php.ini then you could add this to .user.ini in public_html)
curl.cainfo="/path/to/downloaded/cacert.pem"
Make sure you enclose the path within double quotation marks!!!
grant permission to your web server user like ngnix or www-data to read the file.
sudo chown www-data /etc/ssl/certs/cacert.pem
last step restart fpm and ngnix or apache

Hyperledger composer multi user identity

I am following below tutorial
https://hyperledger.github.io/composer/integrating/enabling-rest-authentication.html
I am able to complete the steps till setting up default wallet identity. After this when i try system ping method I get the error.
{
"error": {
"statusCode": 500,
"name": "Error",
"message": "Error trying to ping. Error: Error trying to query chaincode. Error: chaincode error (status: 500, message: Error: The current identity has not been registered:maeid1)",
"stack": "Error: Error trying to ping. Error: Error trying to query chaincode. Error: chaincode error (status: 500, message: Error: The current identity has not been registered:maeid1)\n at _checkRuntimeVersions.then.catch (/home/praval/.nvm/versions/node/v6.11.1/lib/node_modules/composer-rest-server/node_modules/composer-connector-hlfv1/lib/hlfconnection.js:696:34)"
}
}
The same error I get while testing from access token.
curl -v http://localhost:3000/api/system/ping?access_token=xxxxx
Though I can run network ping successfully.
composer network ping -p hlfv1 -n 'digitalproperty-network' -i maeid1 -s NfUhmXtiaSUH
Thanks for help.
The problem you are seeing is described by this issue
https://github.com/hyperledger/composer/issues/1761
Both the CLI and Rest server have enrolled the user but this results in both environments storing certificates for the same identity that differ (for example issue and expiry dates). Whichever environment used their certificate first for that identity and activated that identity/participant in the runtime has their certificate registered. When the other environment presents their certificate it isn't found (because it is different to the first environment) and so reports that the identity is not registered.
The way to address this is if you plan to use the identity in the rest server, don't ping it from the CLI first.

"'Unable to contact any configured publishers' when installing a package on Solaris"

# pkg publisher
PUBLISHER TYPE STATUS URI
solaris (preferred) origin online http://pkg.oracle.com/solaris/release/
#
# pkg install gcc-3
pkg: 0/1 catalogs successfully updated:
Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework stall:
URL: 'http://pkg.oracle.com/solaris/release'. (happened 4 times)
Found the Answer:
It was adding the proxy settings to profile
export http_proxy=http://URL:port
If you what to use the repository also in the non-globale zone it is better to use the pkg set-publisher --proxy option because the zone pkg proxy does not know your enviroment. Without the proxy option the repository works in globale zone but not in non globale zone.

Resources